FortiGate Multi-Threat Security Systems

?
Internet

‡   ‡

:
Internet´ Internet

,

,

,

,

The Nature of Threats Has Evolved« Major Pain Points for Organizations of all Types
Antispam SPEED, DAMAGE ($) Content Filter
Spam Banned Content Worms

Lock & Key
PHYSICAL

VPN Firewall

IDS

AntiTrojans virus CONTENTViruses
BASED Intrusions Hardware Theft

CONNECTION-BASED

1970

1980

1990

2000

Fortinet Developed a Unique Architecture for Complete, Real-Time Network Protection
CORE TECHNOLOGY

Proprietary Fortinet Chip FortiASICΠContent Processor FortiOSΠOperating System Proprietary security hardened OS
‡ ‡ ‡ ‡ Real-time networking OS High performance Robust, reliable Purpose built platform for queue management ‡ Hardware scanning engine ‡ Hardware encryption ‡ Real-time content analysis

Fortinet¶s FortiGate Multi-Layered Security Platform * Includes Anti-Spyware .

com Infected computers .com www.com www.free_music.: ( ³ Hacker --´ .find_a_new_job. FortiGate ) ´ ´ X IPS / ÜÁ Internet X X X www.pornography.

com/downloads/Gettysburg Four score and BAD CONTENT our forefathers brou ght forth upon this continent a new nation.Stateful Firewall STATEFUL INSPECTION FIREWALL Inspects packet headers only ± i.e. TYPE OF DATA. and dedicated to the proposition that all OK OK OK OK Not Scanned Packet ³headers´ (TO. etc. but not at what¶s contained inside DATA PACKETS http://www.) Packet ³payload´ (data) CONFIDENTIAL . looks at the envelope. n liberty. FROM.freesurf.

n liberty.com/downloads/Gettysburg  OK Four score and BAD CONTENT our forefathers brou !  OK  OK ght forth upon this continent a new nation.IPS DEEP PACKET INSPECTION / http://www.freesurf. and dedicated to the proposition that all .

COMPLETE CONTENT PROTECTION 1.freesurf.com/downloads/Gettysburg Four score and BAD CONTENT our forefathers brou ght forth upon this continent a new nation. n liberty. liberty.«. 3. http://www. and dedicated to the proposition that all« !! ATTACK SIGNATURES . and dedicated to the proposition that all DISALLOWED CONTENT BAD CONTENT BAD CONTENT NASTY THINGS NASTIER THINGS Four score and seven years ago our forefathers brought forth upon this BAD CONTENT a new !! 2.

Approach to Complete Content Protection ‡ Firewall ‡ ‡ Anti SPAM Multi-layered Security ± Defend against intrusions ‡ Antivirus Gateway ± Reduce unwanted email Web filters ± Protect email from virus infection ‡ IPS / IDS ± Eliminated unproductive web-browsing ‡ VPN (IPSec/SSL VPN) ± Protect against malicious attacks ± Delivering secure remote access VPN URL Filters Antivirus Servers Firewall IPS / IDS AntiAnti-SPAM Users ..

Approach to Complete Content Protection Multi-layered Security ‡ Advantage ± Provides comprehensive security approach ± Minimizes down-time from individual threats ‡ Disadvantage ± Requires multiple products ± Increases network complexity and operational cost ± Does not defend against ³blended threats´ VPN URL Filters Antivirus Servers Firewall IPS / IDS AntiAnti-SPAM Users ..

The Fortinet Approach ‡ Advantage ± Provides comprehensive security approach ± Minimizes down-time from individual threats ‡ Disadvantage ± Requires multiple products ± Increases network complexity and operational cost ± Does not defend against ³blended threats´ VPN URL Filters Antivirus Servers Firewall IPS / IDS AntiAnti-SPAM Users .FortiGate Multi-layered Security .

Traffic priority Servers Users . FortiGuard Antispam. FTP. POP3. Activity Inspection ‡ ± IPSec.FortiGate . Activity ‡ ± Static list. FortiGuard Web Filtering ‡ ± / Signature. Anomaly. Heuristics. SSLvpn ‡ (QoS) ± Guaranteed rate. SMTP. IMAP Signatures.A New Generation of Security Platform ‡ ± ± ± ± Granular security policies Authentication enforcement Quality of Service Virutal Firewall HTTP. RBL ‡ ± ± ‡ ± Static list. Max rate.

FortiNet ASIC .

.FortiNet : (IPS) (Antivirus) PC (Acess Control) WINDOS AD . ( IP ) (Monitoring & Audit) ‡ ‡ ( IM/P2P) (Central Management) ‡ ‡ .

Internet ÜÁ . .Virtualization ( ) Virtual Domain (VD) . (VD) VD1 Port1 VD2 FortiGate Port9 Port2 Port10 FortiAnalyzer FA800 .

RIP /IPSEC VPN) RouteSSL VPN VPN Service Provider A POS ADSL HUB/Switch HUB/Switch IP-VPN IPWan1 Corporate Data Center FTTB FortiGate Credit Card Holder Wan2 HSPDA ADS L Media Center ADSL Service Provider B IPIPIP-VPN G IP-VPN/3. (Load-Balancing) IPSEC VPN ( Route-Based VPN) (OSPF.Dual Wan Redundancy (Act-Act) .5 - FTTB VoIP Phone IPSec/SSL VPN .

static . Weighted .Server Load Balance ‡ ‡ ‡ Port Healthy Status round-robin.

High Availability
FortiGate Cluster:
HA link ‡ Can be any interface ‡ Do not have to be dedicated ‡ Can be redundant

Internet

Intranet

Mock-up of HA GUI

Configurable product images

Aggregate of all HA peers

High-availability GUI Details
‡ Selectable product icons ‡ Links to peer modification
± Available from ³Role´ and ³% Load´ columns

‡ Arrows allow users change unit display order
± Display to match their physical location/deployment

Agenda
‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

Overview and System Setup FortiGate Multi-Threat Security Systems .

3600. 110C(New). MSSP.FortiGate Product Line ‡ Small Office / Home Office (SOHO) and Small to Medium Business (SMB)  50B. 1000A. and 620B(New) series ‡ Large Enterprise. 300A. and 110C(New) ‡ Enterprise  400. 100A. 3810A and 5000 series . 800. 60 series. 1000. 500. 310B(New). 200A. and Carriers  3016B.

.FortiGate-310B Detailed Product Information ‡ Hardware  FortiASIC CP for UTM acceleration  8 FortiASIC Network Processor (NP) accelerated ports  2 Copper non-NP accelerated ports  1 Single-width front AMC slot  1 GB System Memory  2 USB ports  Backup DC connector (for future use)  1 RU height rack mount unit ‡ Throughput  FG-310B Base Model ‡ 8 Gbps firewall throughput ‡ 6 Gbps IPSec VPN throughput  With Optional AMC (as shown) ‡ 12 Gbps firewall ‡ 9 Gbps IPSec VPN ‡ 14 x GigE ports ‡ Firmware     FortiOS Multi-Threat Engine Supported by FortiManager Supported by FortiAnalyzer Supported by FortiGuard A&M Svc.

AMC Modules Optional Expansion for the FG-310B Advanced Mezzanine Card (AMC) Expansion  ASM-FB4 4 port ASIC accelerated SFP module Provides 4 Gbps wire-speed FW performance Provides 3 Gbps IPSec VPN performance  ASM-S08 80 GB Hard Disk Drive High duty cycle design Improves logging and local archiving .

FortiGate-310B Logical Diagram FortiASIC CP Content Processor CPU FortiASIC NP2 Network Processor FortiASIC NP2 Network Processor AMC Slot for additional scalability 8 GbE Ports Accelerated 2 GbE Ports .

Typical Hardware Packet Flow (1st generation Firewall) Console 2 DDOS CPU Exhausted Session maintain ? PPS ? 200 M @ 64byte ? NAT ? Host Memory 3 CPU 1 4 Interfaces .

(mix) ± control/data path Console 2 ASIC Host Memory 3 CPU 1 4 Interfaces .Packet Flow (2nd generation Firewall) .

FortiGate .Initial Packet Flow with NP2 . ± control & data path 3 ASIC Memory 4 2 Memory CPU 5 FortiNP2 Console 1 6 Interfaces .

Fast Path Packet Flow of Established Session ASIC Memory CPU Memory Fast Path ata Path) used to accelerate traffic for established flows FortiNP2 Console 1 2 Interfaces .

N. 8. None) ‡ Additional features on some models: ‡ ‡ ‡ ‡ ‡ Integrated switch Interactive LCD screen USB ports Hard drive Modular slot bays (AMC) .Physical ‡ All FortiGate models have:  Network interface ports ‡ RJ45 ‡ SFP / XFP (on some enterprise models)  Serial console ‡ RJ45 / DB9 (9600. 1.

only the ³internal´ interface will be accessible via the GUI and CLI ‡ Default administration account is ³admin´ with a null password .Administrative Access ‡ Access to the firewall for the purpose of administration and maintenance ‡ Configured on a per interface basis ‡ By default.

System Dashboard System Information Message Console Menu Licensing and Entitlements Content and Attack Statistics .

Finding Help ‡ Context sensitive help can be accessed from anywhere in the GUI by clicking the Online Help icon .

0)  DHCP  PPPoE ‡ Each interface supports multiple IP addresses.99 / 255.168.255.g.1.Interface IP Addressing ‡ IP addresses can be assigned in three ways:  Static (e. each with independent administrative access settings .255. 192.

DHCP Server / Relay ‡ A DHCP server may be configured on any interface with a static IP address ‡ Multiple DHCP servers on a single interface ‡ Relay a DHCP request to a remote DHCP server .

but one is preferred .Static Routes ‡ Default gateway entry  Required for public network access. FortiGate access to FortiGuard and DNS servers ‡ Routing decision based on destination network and longest match  Outgoing interface and distance (1-255) can be specified  Multiple routes to the same destination can exist.

255. or serial console ‡ Branch-Table structure config system interface edit port1 set vdom "root" set ip 172.110.255.0 branch table parameter .251 255.CLI ² Overview ‡ Accessible via SSH.20. Telnet.

CLI ² Basics ‡ Hierarchy traversing commands       config edit next end exit abort ‡ To see next available command. use ³?´ ‡ Command word completion with <tab> .

255.177.11.248 wan2)# end Fortigate-60 # .255.CLI ² Config ‡ Allows for the configuration of tables ‡ To set the IP address of the wan2 interface: Fortigate-60 # config system interface interface)# edit wan2 wan2)# set ip 192.12 255.

255.CLI ² Get ‡ Displays all table parameters and their current values internal)# get name vdom cli-conn-status mode dhcp-relay-service dhcp-relay-ip dhcp-relay-type ip allowaccess :internal :root :0 :static : : : :192.254 255.168.96.0 :ping https http telnet .255.

0 set allowaccess ping https http telnet set type physical next end .254 255.CLI ² Show ‡ Displays the exact commands used to create a table¶s current configuration internal)# show config system interface edit "internal" set vdom "root" set ip 192.96.168.255.255.

e.: execute factoryreset execute ping execute backup .g.CLI ² Execute ‡ Static commands are prefixed with ³execute´.

on a Radius server or use PKI ‡ Logins and passwords are case sensitive .Administrative Users ‡ Accounts responsible for firewall configuration and maintenance ‡ Have CLI / GUI access to the firewall ‡ Accounts can be held locally.

Administrative Users ‡ Administrator accounts can have differing access based on their profile ‡ Trusted Hosts can be set per account to limit which IP addresses can use the account .

every 2 hours)  Push (a token is pushed to the firewall)  Manual (initiated by administrator) . Selected by the firewall¶s time zone ‡ There are three ways to update via FDN:  Scheduled (e.g.FortiGuard Distribution Network ‡ For updating Antivirus and IPS signatures ‡ FDN servers all over the world.

Labs ‡ First Steps  Initial network connectivity and setup  FortiOS Command Line Interface (CLI) ‡ System Settings and Administration  Global settings  Administrative users  FortiGuard entitlements .

Agenda
‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics

Logging and Alerts
FortiGate Multi-Threat Security Systems

Configuration
‡ Choose the location and a minimum severity: 
   FortiAnalyzer SysLog Memory Local Hard Disk (on some models)

‡

Enable log generation: 
Protection Profile (content archiving)  Event log (system and VPN events)  Firewall Policy or Interface (traffic)

Log Message Priorities
‡ All messages have a priority level: 
       Emergency Alert Critical Error Warning Notification Information debug

‡ Example log message:
2007-01-11 14:23:37 log_id=0104032126 type=event subtype=admin pri=notification vd=root user=admin ui=GUI(192.168.96.1) seq=3 msg="User admin added new firewall policy 3 from GUI(192.168.96.1)"

Event Logging ‡ Responsible for:  Core system events  VPN events  Administration events .

Content Inspection Logging ‡ Controlled by Protection Profiles (covered later) .

Traffic Logging ‡ Traffic can only be logged to remote device (FortiAnalyzer. SysLog)  Local hard disk traffic logging not recommended ‡ Traffic logging can be enabled:  Per firewall policies  Per interfaces ‡ Logging traffic per firewall policy is more granular and better for troubleshooting .

Viewing Log Files ‡ Logs located locally or on a FortiAnalyzer can be viewed via ³Log Access´ on the FortiGate .

SMTP) ‡ Ability to archive downloaded files and e-mails ‡ Requires a FortiAnalyzer appliance . ICQ. IMAP. Yahoo!) Mail (POP3.Content Archiving ‡ The ability to log session transaction data for:      HTTP FTP NNTP IM (AIM. MSN.

Alert E-mail ‡ Generates an e-mail upon detection of a message meeting  a defined severity level or  event category type ‡ Up to three recipients on specified mail server ‡ Supports SMTP authentication .

FortiAnalyzer Appliance ‡ Stores log messages for analysis and archive  FortiGate Log Filter sets log types to send ‡ Transmission of log messages can be secured through IPSec tunnel ‡ Serves as a remote log message repository for diskless devices ‡ Only accepts log messages for registered devices .

SNMP ‡ SNMP V1 and V2c support ‡ MIB available from Fortinet Support site ‡ Enable on interface in direction of SNMP manager ‡ Read (get) access only .

Lab ‡ Logging and Monitoring  Logging configuration  FortiAnalyzer device registration  Alert email configuration .

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

Maintenance FortiGate Multi-Threat Security Systems .

Maintenance ‡ Maintenance of firewalls includes many tasks such as:       Configuration backup IPS signature updates Anti-virus signature updates FortiGuard Center Firmware upgrades FortiGuard Services registration / maintenance .

Configuration Backup ‡ Configuration can be backed up from:  GUI  CLI ‡ The backup file can be sent to:     FortiUSB Local PC GUI (HTTP) Local PC GUI (SCP) Local PC CLI (TFTP) .

Configuration Backup ‡ There are three types of backup:  Clear text (default)  Full config (CLI: show full-configuration)  Password protected ‡ Password protected backups provide:  Backup of IPSec certificates  Protection from alteration (checksum) .

Registration ‡ Registering your firewall provides many benefits. including:       FortiGuard Services activation and trials Service and support contracts Centralized device information Creation of support tickets Technical support forum access Access to firmware updates .

Fortinet Support Registration Unit information Service agreements Active support tickets .

FortiGuard Distribution Network ‡ A Fortinet-maintained worldwide network for update distribution:  Antivirus signatures  IPS signatures ‡ There are three ways to update using FDN:  Scheduled  Push  Manual .

FDN Push Updates ‡ Push updates have the following characteristics:  The FNS sends a token to your firewall when an update is available  Update occurs on 9443/UDP  The firewall will require a virtual IP on any NAT device between it and the public network .

fortinet.Firmware Maintenance ‡ Fortinet makes firmware updates available at support.com ‡ A configuration backup should be performed before any firmware maintenance ‡ Firmware files are platform specific .

Firmware Upgrades ‡ Firmware can be updated in three ways:     FortiUSB GUI (POST) CLI (TFTP) CLI (FTP) ‡ During a firmware upgrade the configuration will be retained .

‡ This allows these models to have:  Two independent firmware images  Two independent configuration files .Firmware ² Dual image support ‡ Starting with the FortiGate 100A. firewalls have two partitions within NVRAM.

FortiGuard Center ‡ Fortinet¶s most current Malware information and security alerts:       Advisories Virus and Spyware encyclopedias Latest IPS vulnerabilities Global threat statistics FortiGuard URL lookup and more! .

System Health Monitoring ‡ Firewall health monitoring:     CPU utilization history Memory utilization history Active sessions count FortiAnalyzer or Local disk space .

Firewall Session Table ‡ View current sessions on the firewall ‡ Filter based on:     Protocol Source IP/Port Destination IP/Port Firewall Policy ID ‡ Allows session removal .

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

Firewall Policies FortiGate Multi-Threat Security Systems .

router switch ATU-R Router . Route/NAT . Transparent Fortigate . 2.Transparent mode 1.

172.254 Internal IP Addresses 219.NAT( Network Address Translation) 192.1-192. .165.1 Internet Public IP Address(es) ‡   .1.172.1.22.

16.1.0 SrcIP 192.1. IP FG IP.1 . .1 DstIP 1.0.5 Http-Server Prot 6 SrcPort 12345 DstPort 80 Data Get SrcIP 1.0/16 .1.2.1 Interne t 1. .1.2.2.168.1.1.5 192.5 DstIP 1.NAT ( Network Address Translation) NAT 1.0/8 172.168. Fortigate NAT IP FG IP pool IP.0.1.168.0.0/12 192.5 Prot 6 SrcPort 54321 DstPort 80 Data Get ‡    Policy ( NAT).1.1 .0. Fortigate NAT RFC1918: Indicates Private IP Networks.5 .1. 10.

5 DstIP 1.1.5 Prot 6 SrcPort 12345 DstPort 80 Data Get ‡  FG policy ( .0 SrcIP 1. .1.5 . NAT).1.1 .1.3.5 DstIP 1.1.1.2.3.1.1 Interne t 1.5 Http-Server Prot 6 SrcPort 12345 DstPort 80 Data Get SrcIP 1.5 1.2.Route Route 1. IP .2.1.1 .3.

1.5 Prot 6 SrcPort 12345 DstPort 80 Data Get ‡  policy NAT .5 Prot 6 SrcPort 12345 DstPort 80 Interne t 1.2.2.1.1.1.1.1 DstIP 1.1.5 Http-Server Data Get SrcIP 1.5 DstIP 1.0 SrcIP 1.Transparent Trans 1.5 .1.FG .1.1.5 1.1 .1.1 .1.2.

Firewall Policies ² Overview ‡ Policies are configured between interface pairs from ingress to egress interface ‡ Traffic can NOT pass through a FortiGate unless matched exactly by a firewall policy .

Firewall Policies ² GUI ‡ Default Internal to External policy on SOHO models ‡ Firewall > Policy .

Firewall Policies ² Actions ‡ Packets matched on: addresses. the firewall policy dictates whether traffic will NAT or route ‡ There are two primary types of firewall policies:  Accept  Deny . and schedule ‡ In NAT/Route mode. ICMP type/code. protocol/ports.

Firewall Policy Example Interface pair Service NAT / Route Protection Profile .

Stateful Inspection ‡ TCP states are tracked in the session table ‡ Pseudo states are created for non stateful protocols  IP. UDP. ICMP .

1.1.[99-105] .255.105 192.1.0/255.255.99-192.1.Firewall Addresses ² IP/Range ‡ Two types of addresses:  IP / IP Range  FQDN ‡ Several ways to declare an IP Range:      192.99 192.168.168.168.0/24 192.168.1.0 192.168.1.168.

Firewall Addresses ² FQDN ‡ The firewall must have functioning DNS entries to utilize FQDN address objects ‡ FQDN resolution cache time is dictated by the DNS server .

³http´ = tcp/80) ‡ The firewall has many predefined service objects ‡ Can create service groups for additional flexibility .g.Firewall Services ² Overview ‡ Allows firewall policies to use specific protocol-port combinations (e.

Firewall Services ² Custom ‡ Three protocol types can be used:  TCP/UDP  ICMP  IP .

Firewall Schedules ‡ Time-based control for firewall policies .

NAT ‡ Firewall Policy (uni-directional)  Standard  IP Pool  Fixed Port ‡ Virtual IP (bi-directional)  Static  Load Balance  Server Load Balance .

Firewall Policy ² Standard ‡ Port Address Translation to the session egress interface IP address .

Firewall Policy ² IP Pool ‡ Port Address Translation to an IP address declared in associated range ‡ Firewall > Virtual IP > IP Pool .

Firewall Policy ² Fixed Port ‡ The source port will not be altered as the session passes through the firewall ‡ This technology is useful for applications that are not compatible with port address translation .

Firewall Policy ² Configuration ‡ Firewall Policy:  Checking the NAT checkbox in a firewall policy ‡ Firewall Policy with IP Pool:     Creating an IP Pool Checking the NAT checkbox in a firewall policy Check the ³Dynamic IP Pool´ checkbox in a firewall policy Choosing the appropriate IP Pool ‡ Firewall Policy with Fixed Port:  Checking the NAT checkbox in a firewall policy  Checking the ³Fixed Port´ checkbox in a firewall policy .

g. DMZ) ‡ Special NAT mapping for incoming connections ‡ Three types:  Static NAT  Load Balance  Server Load Balance ‡ Ability to perform port forwarding .Virtual IP ‡ Used to allow the public limited access to an internal host (e.

Virtual IP ² Static NAT ‡ Creates a bi-directional translation between an internal IP and an external IP ‡ The source IP of traffic originating from the internal host will be translated ‡ Possible to utilize IP ranges ‡ Port Forwarding can be used to alter the source or destination ports .

not assigned to an interface ‡ Round robin is utilized for load balancing .Virtual IP ² Load Balancing ‡ External IP address is mapped to multiple internal IP addresses ‡ A single IP address seen by the outside ‡ External IP address must be static.

Protection Profiles .

Protection Profiles ² Description ‡ Allow for granular application of content inspection technologies ‡ Firewall > Protection Profile .

Protection Profiles ² Application ‡ Protection Profiles may be applied to any permissive Firewall Policy ‡ If Firewall Authentication is used User Group ‡ Multiple Protection Profiles may be created:  Internal to Public  Public to DMZ  Internal to DMZ ‡ A single Protection Profile can be applied to multiple policies .

Lab ‡ Firewall Policy Basics  Policy objects  Policy lists  VIP .

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

IM and P2P Filtering FortiGate Multi-Threat Security Systems .

IM ² Features ‡ IM protocols supported:      MSN Messenger ICQ AOL Instant Messenger (AIM) Yahoo! Instant Messenger (Yahoo!) SIMPLE* ‡ Features:  Per protocol  Per user .

IM ² Content Archive ‡ IM chat summary information ‡ Full IM chat dialog ‡ Archiving copies of files transferred ‡ Requires FortiAnalyzer .

protocols must be enabled within the Protection Profile .IM ² Configuration ‡ For all IM functions.

IM ² Configuration ‡ Set the default temporary user policy ‡ Users will be added to the List of Temporary Users as they attempt to log in ‡ IM. P2P & VOIP > User > Config .

P2P & VOIP > User > User List .IM ² Configuration ‡ Temporary users that have been blocked or allowed will be added to the user list ‡ Users can also be created before being added to the temporary user list ‡ IM.

IM ² Current Users ‡ Current IM users can be viewed for all protocols or selected protocols ‡ Clicking the Block link next to a user will result in the user being disconnected immediately and a User List status change ‡ IM. P2P & VOIP > User > Current Users .

Gnutella. Skype. eDonkey. Kazza (fasttrack). Block or Rate-limit only . WinNY ‡ Pass.Peer-to-Peer (P2P) Features ‡ Supported protocols:  BitTorrent.

a replacement message will appear within the IM client window .IM Antivirus ‡ Features:  Anti-Virus scanning for file transfers  File pattern blocking ‡ Must be enabled within the Anti-Virus section of the Protection Profile ‡ If a virus is detected during an IM session.

Antivirus FortiGate Multi-Threat Security Systems .

Antivirus Overview ‡ Scanning  Files  Archives  Grayware / spyware ‡ Other     File pattern blocking Quarantine Fragmented e-mail blocking Oversize file and e-mail blocking .

Antivirus Updates ‡ The Antivirus has two components that require regular update:  Engine  Signatures ‡ The updates can be retrieved from:  FortiGuard Distribution Network (FDN)  Packages located on the support site .

Antivirus Scanning
‡ Decreases the chance of malicious code execution by clients ‡ Signature-based with Wild List + selected others ‡ Accelerated by proprietary FortiASIC hardware chip ‡ Capable of protecting: 
    HTTP FTP Mail (IMAP, POP3, SMTP) IM (AIM, ICQ, MSN, Yahoo!) NNTP

Antivirus Engine
‡ The Antivirus system scans only well-known ports by default (e.g. ³http´ = tcp/80) ‡ It is possible to add additional ports to each supported protocol via CLI ‡ Only active in a session when a command trigger (file transfer) is detected

Scanning Non-standard Ports
‡ Antivirus scanning can be configured to recognize application traffic on non-standard service ports ‡ Use for customized mail servers or web proxies
Example:

config antivirus service smtp set port 25 set port 2525 end 
To remove, use ³unset port´ but all ports are deleted!

Replacement Messages
‡ Upon detection of virus, infected files are removed and Replacement Message substituted ‡ Customizable text or HTML

Grayware / Spyware ‡ The firewall supports scanning for grayware and spyware threats such as:  Adware  Browser Helper Objects (BHO)  Spyware ‡ Disabled by default ‡ Grayware scanning can be selectively enabled in: Antivirus > Config > Grayware .

File Pattern Block / Allow ‡ Configured in the File Pattern section of Antivirus ‡ A list is then referenced in the Protection Profile ‡ Performed before Antivirus scanning ‡ Multiple lists are supported .

Client Comforting ‡ Enabled within the Protection Profile ‡ Passes small amounts of data to the client during scanning process ‡ Available for:  HTTP  FTP .

FortiGate 60 = 12MB) ‡ Files above this threshold are termed ³Oversized files´  Dropped  Passed ‡ The Oversize File Threshold can be lowered to improve scanning performance .Oversized Files ‡ Firewalls below the enterprise class can scan files up to 10% of total memory size (Eg.

Petite) ‡ Scanning of encoded files (e. lzh. UPX. rar. bzip2) ‡ Scanning of ³packers´ (ASPack. uuencode) ‡ Can configure up to 99 levels of depth in CLI (default: 12) . lha. tar.Antivirus Scanning ² Archives ‡ Scanning of archives (zip. FSG. arj.g. cab. gzip.

the Uncompression Size limit should also be changed ‡ With the CLI on a per protocol basis ‡ Default is 10MB but can be increased to 10% of memory .Uncompression Size Limit ‡ If the oversize file threshold is lowered.

Quarantine ‡ Allows the firewall to quarantine files to a FortiAnalyzer for later retrieval or analysis ‡ Blocked HTTP and FTP files cannot be quarantined (file name is in request) .

Lab ‡ Antivirus Scanning     Global AV settings Protection profile set-up Web traffic scanning Mail scanning .

Intrusion Prevention System FortiGate Multi-Threat Security Systems .

like an application layer firewall. ‡ FortiOS leverages its existing deep packet inspection engine by sharing this functionality with an intrusion prevention system. ‡ Designed to sit inline with traffic flows and prevent attacks in real-time. FTP. and SMTP . ‡ Decodes layer 7 protocols like HTTP.Intrusion Prevention System ‡ Access control to protect computers from exploitation ‡ An extension of intrusion detection (IDS) technology  Another form of access control.

IPS Components ‡ IPS Engine Module  Parse application level protocols  Detect protocol violations  Facilitate signature matching ‡ DoS Module  Anomaly detection  Stop DoS attacks ‡ Packet flooding ‡ Network scanning ‡ IPS Signatures  Pre-defined rules to inspect fingerprints of attacks targeting a vulnerable end system .

Protocol Decoders ‡ Protocol decoders are defined and updated in the engine           HTTP SMTP POP3 IMAP Telnet FTP DNS SNMP RADIUS LDAP        MSSQL SUN RPC SIP H.323 TFN2K BO BO2K .

such as buffer overflow .Zero Day Attacks ‡ Attacks that are not previously known  IPS can detect new worms that propagate using known vulnerabilities  Application level protocol decoding to check for protocol violations.

IPS Configuration ‡ IPS is part of the content inspection suite. and must be enabled in the protection profile ‡ The protection profile must then be applied to a firewall policy or authentication group ‡ Enabling of IPS signatures and anomalies can be done on a severity basis .

IPS Configuration ‡ Each IPS signature and anomaly has a severity classification:      Critical High Medium Low Information ‡ The severity for an individual signature can be viewed by examining the signature list .

IPS Signature List
‡ Updates to the IPS signature database are performed by the FDN ‡ The IPS signature list can be filtered by severity and action

IPS Anomalies
‡ An IPS anomaly is triggered when unexpected traffic patterns are detected ‡ An anomaly is typically seen when a normal type of traffic occurs at an abnormal rate ‡ Action can be taken to prevent IPS anomaly traffic from passing through the firewall

Anomaly List
‡ Like the IPS signature list, the anomaly list can be filtered by severity and action ‡ The anomaly list is considerably shorter than the signature list ‡ It is not possible to create custom anomalies

IPS Detection Actions
‡ Pass, Drop (alerts for every packet trigger) ‡ Pass Session, Drop Session, Clear Session (alert for 1st packet trigger only) ‡ Reset, Reset Client, Reset Server ‡ Set at group or individual signature level

IPS Logging ‡ To log an IPS event:  Enable the correct IPS severity within the protection profile  Ensure that ³Log Intrusions´ is enabled within the protection profile logging section  Enable logging for the individual event  Set the logging location to an appropriate severity .

com/ids/ID103022611]" .fortinet.Example IPS Log Message ‡ type=ips subtype=signature pri=alert vd=root serial=1995 attack_id=103022611 src=69.64.168.1.22 dst=192.100 src_port=80 dst_port=4887 src_int=wlan dst_int=internal status=detected proto=6 service=4887/tcp user=N/A group=N/A msg="web_client: IE.B [Reference: http://www.IFRAME.BufferOverflow.45.

Implementing ‡ Best to use IPS as an detection mechanism initially ‡ Adjust thresholds and actions to fit your network traffic patterns ‡ Disable IPS signatures and anomalies that do not apply to your network ‡ Perform a large amount of logging ‡ Analyze logging messages:  Does it make sense in relation to network activity?  Single isolated occurrence or widespread multiple instances? .

the size is model-dependent set ignore-session-bytes  check the first X amount of bytes for a session .Advanced IPS Settings ‡ IPS global settings: config ips global set fail-open  pass or block traffic should the IPS service fail (default pass) set ip_protocol  restrict IPS processing to only those services allowed by firewall policies (default disable) set socket-size  set the IPS buffer size.

user-modified settings are retained  If the signature settings have not been modified and the update settings are different. this command determines which settings are used .Advanced IPS Settings ‡ FDN Attack Updates config system autoupdate ips set accept-recommended-settings <disable|enable>  When the IPS is updated.

Lab ‡ Intrusion Prevention System .

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

Authentication FortiGate Multi-Threat Security Systems .

FWUA (firewall user authentication) .Authentication ‡ A User object is a instance of an authentication method ‡ A User Group object is a container for User objects  Identifies group members  Protection Profile and Type provides authorization attributes for members ‡ FortiGate units control access to resources based on group membership  The combination of User Group and Firewall Policy defines the authorization for a particular user  Firewall Policy: VPN (SSL/IPSec/PPTP/L2TP).

Authentication ² User/Server Types ‡ Local password file  Username and password prompt ‡ RADIUS  Username and password prompt ‡ LDAP / AD  Username and password prompt ‡ FSAE / NTLM (AD)  Single Sign On based on earlier authentication event ‡ PKI  Certificate based authentication .

Authentication ² Services ‡ ‡ ‡ ‡ ‡ ‡ Firewall Policies (Firewall User Authentication) SSL VPN IPSec VPN PPTP and L2TP Admin login FortiGuard Web Filtering Override .

RADIUS.Firewall Policies ‡ User Groups linked to Accept Firewall Policies  On successful authentication a temporary rule is created  If no traffic present rule remove after the µauthtimeout¶ ‡ Local. LDAP authentication presents user with a login page  On successful authentication the user is redirected to requested site ‡ Windows AD (FSAE and NTLM)  Authentication based on AD Group membership ‡ PKI user authenticated on presentation of a valid certificate  HTTPS (and HTTP with redirect to HTTPS) .

RADIUS.SSL VPN ‡ User Groups are linked to SSL VPN policies  Allows users access to the SSL VPN portal  Creates temporary rules based on SSL VPN firewall policies linked to the User Group ‡ Local. LDAP present user with a login page  On successful authentication user is connected to SSL VPN portal ‡ PKI allows a user to be authenticated on presentation of a valid certificate  Users directly connected to portal. no username or password is required .

IPSec VPN ‡ Phase 1 objects authenticate remote gateways using a Peer ID. and a pre-share key or certificate  Dynamic IP remote gateways (dial up) configure a Local ID which will be sent in the clear when using aggressive mode ‡ Xauth is used with Dial Up remote gateways to identify the user using a username and password  Xauth links to a User Group object type firewall .

RADIUS and LDAP used to authenticate connecting users .PPTP and L2TP ‡ FortiOS terminates the PPTP/L2TP connection and assigns authenticated users an address out of the configured address pool  On successful authentication a temporary rule matching the configured address pool is created  Local.

Admin login ‡ Admin account link to a profile defining the users role and VDOM membership ‡ Local and RADIUS  If both are configured the RADIUS object is attempted first and then if no response the Local password is used ‡ RADIUS Accounting packets sent for Admin users ‡ PKI allows a user to be authenticated on presentation of a valid certificate  Users directly connected to the WebUI. no username or password is required .

Web Filtering Overrides ‡ Web Filtering Overrides can be linked to an Authentication object allowing the user to initiate the override .

RADIUS ‡ FortiGate acts as a network access server (NAS)  User information passed to the RADIUS server  User authenticated based on the RADIUS servers response ‡ Object identifies the IP address and shared secret of up to two RADIUS servers ‡ RADIUS object can be used for all services supporting authentication ‡ Radius Accounting for Admin users .

 Anonymous: binds to the server as an Anonymous user. It then performs the LDAP search and the secondary bind. It then performs the LDAP search and secondary bind.  Regular: binds (logs on) to the LDAP server with a user-specified username and password. .LDAP ‡ FortiGate configured as LDAP client for LDAP server or Active Directory ‡ Supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords ‡ FortiOS v3.00 supports three LDAP Auth Types:  Simple: provides simple password authentication without search capabilities (default).

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

SSL VPN FortiGate Multi-Threat Security Systems .

FortiGate SSL VPN Gateway ‡ Secure access with complete content inspection  Inspect traffic from and to SSL VPN users  Secondary security measure to ensure client traffic does not contain malicious content  Protection includes: ‡ Antivirus. Firewall. Antispam . Content inspection. IPS.

Types of SSL VPN ‡ Web Application mode  Secured access to a portal interface  Available via any browser supporting SSL version 2 or 3 ‡ Tunnel mode  Virtual IP assignment (Similar to PPP)  Uses ActiveX and Java controls  Host security is based only on firewall policies .

SSL VPN ² Configuration ‡ VPN > SSL > Config .

SSL VPN ² Configuration ‡ User > User Group .

VNC (configured via CLI) . SSH.Web Portal Features ‡ The firewall can make available any of the following via the web portal interface:      HTTP/HTTPS proxy Telnet proxy FTP proxy Windows file share access NFS.

Web Portal Features ‡ Automatic custom website redirection after log in to portal ‡ Tools interface:  Ping  Telnet ‡ Full bookmarks interface  Configured per-user  Held in FortiGate configuration file .

and desired protocols under ³SSL-VPN User Group Options´  Create appropriate SSL-VPN firewall policies     ‡ By default the web portal will be accessible at: https://<firewall IP>:10443 .Web Portal Configuration ‡ To configure SSL VPN web portal: Enable SSL VPN Create an SSL VPN user group Add users to the SSL VPN user group ³Enable Web Application´.

Web Portal Configuration ‡ All SSL VPNs require at least one SSL-VPN firewall policy ‡ To utilize the proxy features to the Internet. an SSL-VPN firewall policy from External -> External must be created .

Web Portal Interface Custom title Bookmarks area Tools .

Tunnel Mode Features ‡ Supports all types of traffic ‡ Split-tunneling ‡ Virtual IP address assignment ‡ Client integrity checking .

MS NAP. rendering protection mechanism useless . Cisco NAC. TCG¶s TNC ‡ Provides limited protection  Only able to detect client protection applications  Relying on external vendors to ensure client integrity  Not implemented by all SSL VPN vendors ‡ Not controlled by vendors  Requires administrators to determine appropriate version/signature versions & policy  Easily outdated.Client Integrity Checking ‡ SSL VPN gateway checks client system  Detects client protection applications ‡ Antivirus ‡ Personal firewall  Determines state of applications ‡ Active / inactive ‡ Current version (including signature updates)  Eg.

Tunnel Mode Configuration ‡ To configure SSL VPN Tunnel: Enable SSL VPN Choose tunnel IP range Create an SSL VPN user group Add users to the SSL VPN user group Enable ³SSL-VPN Tunnel Service´ under ³SSL-VPN User Group Options´  Create appropriate SSL-VPN firewall policies      .

0+ and Firefox for SSL VPN ActiveX control ‡ Firewall policy traffic origin will be the interface to which the connection was initiated .Tunnel Mode Configuration ‡ Supported by Microsoft Internet Explorer 6.

³Activate SSL-VPN Tunnel Mode´ must be selected ‡ The SSL VPN ActiveX control or Java applet is downloaded from the firewall only once .User Experience of Tunnel Mode ‡ User logs in to SSL VPN web portal ‡ If the SSL VPN group has both portal and tunnel access.

It will have a virtual IP address ‡ The virtual adapter becomes the preferred default route if split tunneling is disabled .User Experience of Tunnel Mode ‡ A new network connection is created named ³fortissl´.

User Experience of Tunnel Mode ‡ The Web Portal page will display the status of the SSL VPN client ActiveX control ‡ The Web Portal page must remain open for the tunnel to function .

Lab ‡ SSL VPN  Web mode configuration  Tunnel mode configuration .

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

Virtual Domains FortiGate Multi-Threat Security Systems .

Description ‡ A virtual domain is a logical firewall within a physical FortiGate .

Positioning ‡ Network Segregation  For Administrative or Network addressing purposes (can be used to manage overlapping subnets) ‡ Managed Firewall  Managed Virtual Firewall for Managed Security Service Providers (MSSP)  Replaces multiple separate physical devices .

Enabling ‡ VDOM mode may be enabled via the GUI or CLI  CLI: Global settings ± ³vdom-admin´ to ³enable´ System > Status .

Managing Virtual Domains ‡ New left menu item ³VDOM´ under ³System´ ‡ Only seen by administrative users with ³super_admin´ access .

Management VDOM ‡ Connectivity to services including:       FortiGuard Services Network Time Protocol synchronization Updates using the FortiGuard Distribution Network (FDN) Connection to FortiAnalyzer / SysLog apparatus Alert E-mail DNS .

Global Configuration ‡ Only accessed using ³super_admin´ privileges:        Interface configuration Configuration of FortiGuard services IPS/AV Signature updates Firmware management Configuration file Content inspection lists (URL filters.) HA configuration . etc. banned words.

Administration ‡ Administrative users are assigned to a VDOM ‡ VDOM administrators must log in to an interface assigned to their VDOM for management ‡ Administrators assigned ³super_admin´ have global administrative privileges .

Per-VDOM Objects ‡ The following are configured per-Vdom       Zones Routing Firewall Objects User Groups VPNs Logging to Memory and Disk .

and configured in Global management ‡ An interface assigned to a VDOM may not be referenced by a different VDOM .Interface Management ‡ Interfaces are assigned to a VDOM ‡ A VDOM may have up to 255 interfaces ‡ Interfaces must be created.

Inter-VDOM Routing ‡ Allows packets to traverse virtual domain borders ‡ Creation via the Global CLI produces an interface pairing ‡ IP addresses are not critical unless dynamic routing is used .

Inter-VDOM Links ‡ Inter-VDOM links must be created from the global configuration ‡ Each Inter-VDOM link will create two interfaces:  <link name>0  <link name>1 ‡ The topology depends on which VDOM each interface is placed .

Independent INTERNET External v1 External v2 External v3 Management Internal v1 Internal v2 Internal v3 Customer 1 Customer 2 Customer 3 .

Management INTERNET External Management Internal v1 Internal v2 Internal v3 Customer 1 Customer 2 Customer 3 .

Meshed INTERNET External Management Internal v1 Internal v2 Customer 1 Customer 2 .

Lab ‡ VDOM Administration and Configuration .

Agenda ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Overview and System Setup Logging and Alerts Maintenance Firewall Policies Protection Profiles Firewall User Authentication SSL VPN Virtual Domain Diagnostics .

FortiOS Diagnostics FortiGate Multi-Threat Security Systems .

Self Help ‡ Check to see if your question has been asked before:     FortiOS Release Notes Knowledge Center (kc.com) .fortinet.fortinet.fortinet.com) Technical Forums (support.com/forum) FortiDocs (docs.

Problem Definition ‡ What is the problem? ‡ Can you reproduce the problem at will. Isolate the problem. or is the problem intermittent? ‡ What has changed? ‡ Determine the scope of the problem. What applications/users/operating systems does it effect? .

Gathering Facts ‡ Where. and who does this happen to? ‡ What components are involved? ‡ What is the affected application? ‡ Can you trace the problem using a packet sniffer? ‡ Can you trace the problem in the session table? ‡ Can you obtain log files that indicate a failure has occurred? . when.

Gathering Facts ‡ When seeking additional assistance provide:      A recent config file A recent debug log A topology diagram get system status of device(s) A diag debug report .

Diagnostic Command Overview ‡ CLI command tree: diagnose ‡ Commonly used sub-branches  diag sniffer  diag test  diag debug ‡ Numerous options/parameters viewed with ³?´ .

Normal Operation ‡ Define µnormal operation¶ ‡ What do you want to achieve? ‡ Do you know how the system performs in the best case? ‡ Monitor the system performance with the following CLI command:  get system performance status CPU states: 0% used. 23 hours. 100% idle Memory states: 62% used Up: 0 days. cpu: 0 0 99 mem: 66 55 minutes .

0 0.4 cli 921 S 0. 0S. 776F.0 0.0 1.0 0.5 ipsengine 769 S < 0.0 0.6 updated 52 S 0.0 6. 0 hours and 54 minutes 0U.0 0.6 sslvpnd 849 S 0. 91KF thttp 465 S 0.4 cli 925 R 0.4 scanunitd 904 S < 0.Sanity Checking ² Resource Usage ‡ Monitor CPU/memory usage of internal processes diag sys top <delay> <max_lines> Run Time: 18 days.2 httpsd 848 S 0.0 0.7 httpsd 850 S 0.0 1.0 0. 1009T.0 cmdbsvr 18 S 0.7 httpsd 31 S 0.0 0. 100I.4 .

Sanity Checking ² Proxy operations ‡ diag test application  Use option ³0´ to ftpd http im imap ipsengine ipsmonitor pop3 smtp urlfilter see choices ftp proxy http proxy im proxy imap proxy ips sensor ips monitor pop3 proxy smtp proxy urlfilter daemon .

Sanity Checking ² Hardware NIC ‡ diagnose hardware deviceinfo nic ‡ diagnose hardware deviceinfo nic internal Rx_Packets=5685708 Tx_Packets=4107073 Rx_Bytes=617908014 Tx_Bytes=1269751248 Rx_Errors=0 Tx_Errors=0 Rx_Dropped=0 Tx_Dropped=0 .

Sanity Checking ‡ Check time and date settings for log message timestamp synchronization ‡ Check time and date settings for Certificates that have a time requirement to check for validity:  execute time current time is: 12:40:48 last ntp sync:Thu Mar 16 12:00:21 2006  execute date current date is: 2006-03-16 ‡ Force NTP synchronization  config system ntp  set ntpsync disable/enable .

.Conserve Mode ‡ Under high usage/traffic conditions typcially with AV and IPS enabled ‡ Expected to be temporary condition that is self-correcting when bursty traffic subsides diagnose hardware sysinfo shm . any new sessions are ignored (no SYN-ACK from FortiGate) . . conservemode: . 0 ‡ 0: normal condition. . 1: memory low condition ‡ When in Conserve mode. .

Conserve Mode ‡ diagnose hardware SHM counter: SHM allocated: SHM total: conservemode: SHM FS total: SHM FS free: SHM FS avail: SHM FS alloc: sysinfo shm 123 2895872 41811968 0 46129152 43110400 43110400 3018752 .

25.76 Age(min) 3 4 Hardware Addr 00:09:0f:84:04:5d 00:0e:b6:0e:88:a6 Interface port1 port1 ‡ To remove ARP cache execute clear system arp table ‡ Static ARP entries can be added: config system arp-table .144.ARP Table ‡ To view ARP cache: Fortigate-400 # get sys arp Address 172.12 172.19.19.

Traffic Tracing ‡ Follow a specific packet stream with:  Session Table: characteristics of traffic session through specific firewall policy diag sys session  Flow Tracing: per-packet operations diag deb flow  Packet sniffer: per-ethernet frame tracing diag sniffer packet ‡ Choose tool depending on desired output .

-1 matches all .Session Table ‡ Entry in Session Table for each traffic session through a firewall policy ‡ Set-up session filter diagnose sys session filter <options> clear dport dst negate policy proto sport src vd clear session filter dest port dest ip address inverse filter policy id protocol number source port source ip address index of virtual domain.

11.168.11.254:22(192.105:1251(10.168.168.168. 0/(0.5.5.11.Session Table ‡ diagnose sys session list TCP state Session TTL session info: proto=6 proto_state=05 expire=89 timeout=3600 flags=00000000 av_idx=0 use=3 bandwidth=204800/sec guaranteed_bandwidth=102400/sec traffic=332/sec prio=0 logtype=session ha_id=0 hakey=4450 tunnel=/ Traffic shaping state=log shape may_dirty statistic(bytes/packets/err): org=3408/38/0 reply=3888/31/0 tuples=2 orgin->sink: org pre->post.100:1251) pos/(before.0.105:1251) hook=pre dir=reply act=dnat 192.11.254:22NAT operation >192.0).0.0.100 Traffic counts hook=post dir=org act=snat 10.after) 0/(0.100:1251>192.5.11. reply pre->post oif=3/5 gwy=192.254/10.0) misc=0 domain_info=0 auth_info=0 ftgd_info=0 ids=0x0 vd=0 serial=00007c33 tos=ff/ff .168.

Flow Trace ‡ Follow packet flow by setting flow filter diag debug flow filter ‡ Enable output to console CLI diag debug flow show ‡ Start flow monitor with number of packets diag debug flow trace start <N> ‡ Stop flow monitor at any time or with stop directive diag debug flow trace stop .

print header and data from ip of packets with interface name 6 .  <filter> a powerful filter functionality using filters (BPF syntax)  <verbose> there are six verbose levels: 1 .print header and data from ethernet of packets with interface name  <count> the number of packets the sniffer reads before stopping .print header and data from the Ethernet header of the packets 4 .print header of packets with interface name 5 .print header and data from the IP header of the packets 3 .print header of packets 2 .Packet Sniffer ‡ diagnose sniffer packet <interface> <filter> <verbose> <count>  <interface> can be any physical or virtual interface name or µany¶ for all interfaces.

> 0 diag debug reset ‡ Typically 1 diag debug command at a time (there are exceptions!) ..Debug Command Overview ‡ Debug output provides continuous real-time event information ‡ Debug output display must be enabled diag debug enable ‡ Be sure to turn off debug output when done diag debug <cmds.

support will advise which debugging level to use: ‡ 2 and 3 are common settings .Debug Command Usage ‡ diag debug enable  Redirect debug output to telnet/ssh ‡ Common debug commands diag diag diag diag diag debug debug debug debug debug application application application application application ike 3 <peer ip address> dhcps -1 dhcprelay -1 spamfilter 2 urlfilter 2 ‡ Debug level is set at the end of the command  -1 activates all debug statements and should be used only when instructed by technical support  Typically.

Debugging Hints and Tips ‡ If you need timestamps in debug output diag deb console timestamp enable ‡ Try debug level 2 or 3 when in doubt  For most verbose output: -1 ‡ Current debug settings diag debug info .

201:500.201 quick mode message #1 (OK) FGh_FtiLog1: set retransmit: st=168.201:500.11.168. . protocol=0/0 Send IKE Packet(quick_outI1):192. timeout=6.2 FGh_FtiLog1: initiator quick-mode set pfs=1536. dpd_fail=0 Found existing Phase1 FGh_FtiLog1: found phase2 FGh_FtiLog1 FGh_FtiLog1: IPsec SA connect 0 192.2 -> 192.10.2:500(if0) -> 192. tunnel FGh_FtiLog1: initiate an SA with selectors: 192..168.Debug Example ‡ ‡ diag debug enable diag debug application ike -1 Src and Dst GW IP addresses FGh_FtiLog1: IPsec SA connect 0 192. len=348 Initiator: sent 192.201.168.2->192.11.5.168. Create new Phase2 FGh_FtiLog1: try to negotiate with 1800 life seconds.168. natt_mode=0 rekey=0 phase2=FGh_FtiLog1 FGh_FtiLog1: using existing connection.10.11. ports=0/0.11.10.168.10.168.10.2/0.11.0.168.168.201:500 negotiating FGh_FtiLog1: overriding selector 225.8 with 192.0.30..0>192.168.

Lab ‡ Familiarize yourself with the key commands of the FortiOS CLI diagnose branch:  Packet Capture  Session Table  Debug .